3 Steps for Creating a HIPAA-Compliant Healthcare App

HIPAA: The Health Insurance Portability and Accountability Act, was created to protect patients’ privacy and security of personal health data. When creating a healthcare app, it is essential to take HIPAA compliance in to careful consideration. When developing a healthcare app, one must adhere to HIPAA compliance throughout all stages of app development. Due to its complex nature, HIPAA law is always changing and evolving, meaning in order to maintain HIPAA compliance, your app must as well.

It’s important to note that ADA and GDPR are two other compliance considerations which also require careful attention, but we won’t be covering these in this article.

#1 Restrict the Storage of PHI on a Phone

Protected Health Information (PHI) needs to always be at the forefront of consideration when building a HIPAA-compliant healthcare app. The 18 PHI identifiers* all deal with identifiable information and healthcare apps need to handle this data safely and securely. It is very important that a healthcare app does not allow users to store PHI on their mobile device.  

If the app were to ever accidentally send sensitive information to the wrong patient, that data cannot be recalled if it is saved to the user’s phone. Ideally, data should be pulled from the source EMR or PM system for the user in real-time and never saved on the device. Secondly, it is highly unlikely that a patient has a HIPAA-compliant mobile device, in which case it is a high security risk for patients to have the ability to save PHI to the device. 

#2 Keep Notifications Private and Secure

Healthcare apps use notifications to send sensitive and private information to patients. Whether you are sending a patient an email, push notification, or SMS, it is critical that the notification follow strict guidelines. The notification should never give out any specific or identifiable information that pertains to the patient or healthcare organization. If violated, this could lead to a major breach of a patient’s privacy. Anyone has the ability to read a notification when a patient is receiving it on their phone, and for that reason they need to be as secure as possible. A good example of a notification is, “You have a new private message”. On the contrary, a notification should never read, “Hi John, your dermatologist appointment with Dr. Smith is tomorrow.”

#3 Use a Hosting Service that is HIPAA-Compliant

When considering hosting for your healthcare app, HIPAA, once again, is to be taken very seriously. Secure patient information must always be hosted in a cloud service that is HIPAA-compliant. For example, Medical Web Experts, a leading medical web design company, uses Amazon’s HIPAA-compliant cloud as the foundation of their HIPAA-compliant cloud hosting service – the MWE Cloud.

For more information about the development of a healthcare app by expert developers that understand HIPAA compliance, please contact Medical Web Experts today.

*18 PHI Identifiers

1. Names 

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes. 

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.

4. Phone numbers

5. Fax numbers

6. Electronic mail addresses 

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)